On December 10, 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, and others announced a critical remote code execution vulnerability in many versions of Apache’s Log4j software. Log4j is a java-based logging utility incorporated in frameworks, websites, and applications, and is widely used by major cloud services and well-known software vendors and manufacturers. According to senior cybersecurity professionals, this vulnerability is very serious.
Cybersecurity threat actors are actively exploiting Log4j vulnerabilities. Successful exploitation of a vulnerability can be used to deploy ransomware, steal data, and disrupt operations.
All regulated entities should promptly assess risk to their organization, customers, consumers, and third party service providers based upon the evolving information and take action to mitigate risk. Organizations are urged to review and monitor the Apache Log4j Security Vulnerabilities web page for updates and mitigation guidance.
Regulated entities are reminded to report cybersecurity events that meet the criteria certainly reference our data breach notice act (9 V.S.A. 2435) and DFR Bulletin #4.